Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp3416204ybn; Fri, 27 Sep 2019 06:08:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqw64noWqtFRNaiZTzcDVM+zG7x7gnVFWdWA18WWbHU6ZRASLBdu3d8hAQCf7wVQP5byQvNb X-Received: by 2002:a05:600c:2252:: with SMTP id a18mr7453797wmm.141.1569589733268; Fri, 27 Sep 2019 06:08:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569589733; cv=none; d=google.com; s=arc-20160816; b=kwEQeWGWpU6knhom88RTmdzJrLtjODGWjChcDqSZWAdOPfCXR9iz1qxIbFzIkzCSZl aBVX8rq17lhnA4rzqr2wvmnDms0exDPa1j4M0J8HMYJ7mlL/WHFaiDjfHPfEVR3NTr0x X9P58wI1FBHChKejvHjRbs8FJK6MaQGqv6DUqsDF0jdm7Sh/jyBaLPb3qUI2fNIfpWxu zs6GsrnY1Bz+n/NzVEjWRXytkohc6jKy1EcBSoGke+pztstXXSpdbcdUk26z3DqykaE1 Ap7GQ1wWM+p37n9Cxl0fbL/vAojS42mMf8UPJsFY650+edFXaJnAQL1GGai3XVgrM5j8 iaQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KFGrykQPVrfrF/RCxAyujZ2hxx3LnFuQxZYE85jjQVw=; b=A7+jwkLDFTSQiivM74bQbA6Hg+3ZUdI1Hjb+hUwzJQJy7g6lsi685IyRRdIZoUzGee x+FBC3HZc8bLECDsj9+yqH8VLB6mPlgxZYgFgxMfeBlMqeeSewFs47einEqeFNbFwfE4 bEXj2QepaLamcyKaIylrKjI6pNOatZw7Umwu7lW+4+4phMI0zzZxTm7izES3UJysaGaR 2YZV/TrZK6tcjhT49CmgPTJxvQ7tz6zRKHJUkMa8NfAQhKOIaXDFE93sXjm10eOsi/0W S6LGwKY59GRqeas+dQrMrw0TUc/DcTzzEIMyCdEp4gJDC6FTHanKKbZOO2vVOfphAkZv AI3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="eCGU90/x"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x30si1481155edi.351.2019.09.27.06.08.27; Fri, 27 Sep 2019 06:08:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="eCGU90/x"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727314AbfI0NHj (ORCPT + 99 others); Fri, 27 Sep 2019 09:07:39 -0400 Received: from mail-qk1-f193.google.com ([209.85.222.193]:36120 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726144AbfI0NHj (ORCPT ); Fri, 27 Sep 2019 09:07:39 -0400 Received: by mail-qk1-f193.google.com with SMTP id y189so1874278qkc.3 for ; Fri, 27 Sep 2019 06:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KFGrykQPVrfrF/RCxAyujZ2hxx3LnFuQxZYE85jjQVw=; b=eCGU90/xZEVHkKCXyCx9dXZYOtfiWFMq7pEiL6sVql5nIOuzUZmap6FW0TUmXa8+PU W7QjgFFyd0b7aGdzPj7JWFAaCxxkWHiLoAbcLFEFqS/5ZZWYoKcTAaAWkUAHhbeUW1FR kx/2TVbuRs9rN+dyRdEJw/yO/C/kppDIKK1TIs7Y2hIspTSWOLca0dGiNdfPh1ytEa0t tgfvgh7hlc9wXM1pdjaDWdUEQRj7Q+Yf8araXc0PrH+FuFKSfGxMA51kOFodqv3P89X3 ClaMNs+Rr9x6+jwHltu3agDcuMkJqn+LiYWQhxmIonMqgaCA+H/rdfPLRojuTZgYyNZ0 eSPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KFGrykQPVrfrF/RCxAyujZ2hxx3LnFuQxZYE85jjQVw=; b=mk0Ji5LRlm+oy7rGHTkfiPLpboCn4dpfD1o27TGybXKHKPYHDqqrryn3LiI/GM+xrg 0bauqhtkOMcFUjwBcDEELXCxPi6Gg9v5jl76KtjlZtmyFRvJoLhCfa44Cey1+3KCZBck jVjjoS+zalEjDU8x2O8Nz2zTCCLnrve3pMgWOvoIQp2L6yc8w/00rAnsaXTybDfh80Q2 5SZjhcz8uPZtFHR4RqqTfIemyW+yFpPQWBBgI5U6PNWw3IQv/z6zN5eAJjDoBHQMZmW7 fKuEN8IX1O2ESKSTmdfWMnLifYwHlXEcnQqW5YzsKpJtvVBMQsvHRGqDnwcSvZTZMSIv ItWA== X-Gm-Message-State: APjAAAUGtD6+hPe7Zdwqyx/Qx2g/SPX9HraYIFNLTiflm5umBz7ZYaM1 YVT9zvjBB/Js+TM102xwj4Xql4jpMAU5cxcTcToZVQ== X-Received: by 2002:a37:9202:: with SMTP id u2mr4399020qkd.8.1569589657502; Fri, 27 Sep 2019 06:07:37 -0700 (PDT) MIME-Version: 1.0 References: <20190927034338.15813-1-walter-zh.wu@mediatek.com> In-Reply-To: <20190927034338.15813-1-walter-zh.wu@mediatek.com> From: Dmitry Vyukov Date: Fri, 27 Sep 2019 15:07:25 +0200 Message-ID: Subject: Re: [PATCH] kasan: fix the missing underflow in memmove and memcpy with CONFIG_KASAN_GENERIC=y To: Walter Wu Cc: Andrey Ryabinin , Alexander Potapenko , Matthias Brugger , LKML , kasan-dev , Linux-MM , Linux ARM , linux-mediatek@lists.infradead.org, wsd_upstream Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 27, 2019 at 5:43 AM Walter Wu wrote: > > memmove() and memcpy() have missing underflow issues. > When -7 <= size < 0, then KASAN will miss to catch the underflow issue. > It looks like shadow start address and shadow end address is the same, > so it does not actually check anything. > > The following test is indeed not caught by KASAN: > > char *p = kmalloc(64, GFP_KERNEL); > memset((char *)p, 0, 64); > memmove((char *)p, (char *)p + 4, -2); > kfree((char*)p); > > It should be checked here: > > void *memmove(void *dest, const void *src, size_t len) > { > check_memory_region((unsigned long)src, len, false, _RET_IP_); > check_memory_region((unsigned long)dest, len, true, _RET_IP_); > > return __memmove(dest, src, len); > } > > We fix the shadow end address which is calculated, then generic KASAN > get the right shadow end address and detect this underflow issue. > > [1] https://bugzilla.kernel.org/show_bug.cgi?id=199341 > > Signed-off-by: Walter Wu > Reported-by: Dmitry Vyukov > --- > lib/test_kasan.c | 36 ++++++++++++++++++++++++++++++++++++ > mm/kasan/generic.c | 8 ++++++-- > 2 files changed, 42 insertions(+), 2 deletions(-) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index b63b367a94e8..8bd014852556 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -280,6 +280,40 @@ static noinline void __init kmalloc_oob_in_memset(void) > kfree(ptr); > } > > +static noinline void __init kmalloc_oob_in_memmove_underflow(void) > +{ > + char *ptr; > + size_t size = 64; > + > + pr_info("underflow out-of-bounds in memmove\n"); > + ptr = kmalloc(size, GFP_KERNEL); > + if (!ptr) { > + pr_err("Allocation failed\n"); > + return; > + } > + > + memset((char *)ptr, 0, 64); > + memmove((char *)ptr, (char *)ptr + 4, -2); > + kfree(ptr); > +} > + > +static noinline void __init kmalloc_oob_in_memmove_overflow(void) > +{ > + char *ptr; > + size_t size = 64; > + > + pr_info("overflow out-of-bounds in memmove\n"); > + ptr = kmalloc(size, GFP_KERNEL); > + if (!ptr) { > + pr_err("Allocation failed\n"); > + return; > + } > + > + memset((char *)ptr, 0, 64); > + memmove((char *)ptr + size, (char *)ptr, 2); > + kfree(ptr); > +} > + > static noinline void __init kmalloc_uaf(void) > { > char *ptr; > @@ -734,6 +768,8 @@ static int __init kmalloc_tests_init(void) > kmalloc_oob_memset_4(); > kmalloc_oob_memset_8(); > kmalloc_oob_memset_16(); > + kmalloc_oob_in_memmove_underflow(); > + kmalloc_oob_in_memmove_overflow(); > kmalloc_uaf(); > kmalloc_uaf_memset(); > kmalloc_uaf2(); > diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c > index 616f9dd82d12..34ca23d59e67 100644 > --- a/mm/kasan/generic.c > +++ b/mm/kasan/generic.c > @@ -131,9 +131,13 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr, > size_t size) > { > unsigned long ret; > + void *shadow_start = kasan_mem_to_shadow((void *)addr); > + void *shadow_end = kasan_mem_to_shadow((void *)addr + size - 1) + 1; > > - ret = memory_is_nonzero(kasan_mem_to_shadow((void *)addr), > - kasan_mem_to_shadow((void *)addr + size - 1) + 1); > + if ((long)size < 0) > + shadow_end = kasan_mem_to_shadow((void *)addr + size); Hi Walter, Thanks for working on this. If size<0, does it make sense to continue at all? We will still check 1PB of shadow memory? What happens when we pass such huge range to memory_is_nonzero? Perhaps it's better to produce an error and bail out immediately if size<0? Also, what's the failure mode of the tests? Didn't they badly corrupt memory? We tried to keep tests such that they produce the KASAN reports, but don't badly corrupt memory b/c/ we need to run all of them. > + ret = memory_is_nonzero(shadow_start, shadow_end); > > if (unlikely(ret)) { > unsigned long last_byte = addr + size - 1; > -- > 2.18.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20190927034338.15813-1-walter-zh.wu%40mediatek.com.